{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,2]],"date-time":"2026-03-02T20:02:36Z","timestamp":1772481756572,"version":"3.50.1"},"reference-count":43,"publisher":"Oxford University Press (OUP)","issue":"9","license":[{"start":{"date-parts":[[2025,2,10]],"date-time":"2025-02-10T00:00:00Z","timestamp":1739145600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/academic.oup.com\/pages\/standard-publication-reuse-rights"}],"funder":[{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2023YFB3106302"],"award-info":[{"award-number":["2023YFB3106302"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/501100012166","name":"National Key Research and Development Program of China","doi-asserted-by":"publisher","award":["2023YFB3106300"],"award-info":[{"award-number":["2023YFB3106300"]}],"id":[{"id":"10.13039\/501100012166","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,9,21]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Federated learning (FL) enables collaborative training of global models among distributed clients without sharing local data. Secure aggregation, a new security primitive of FL, enhances the confidentiality of data and model parameters. Unfortunately, privacy-preserving (PP) FL is vulnerable to common poisoning attacks by Byzantine adversaries. Existing defense strategies mainly focus on identifying abnormal local gradients over plaintexts, which provides a weak privacy guarantee. In PPFL, adversaries can escape existing defenses by uploading encrypted poisonous gradients. In addition, most mainstream aggregation algorithms assume that clients\u2019 local training data is uniformly distributed, Independent and Identically Distributed (IID), which is unrealistic for real-world FL scenarios where data are only stored on large-scale terminal devices. To address these issues, we propose PEAR, a PP aggregation strategy based on single key-dual server CKKS full homomorphic encryption in real-world distributed scenarios, which can resist encrypted poisoning attacks. Specifically, we use cosine similarity to measure the distance between encrypted gradients. Then, we propose a novel Byzantine-tolerance aggregation mechanism using cosine similarity, which includes trust score generation that can tolerate differentiated local gradients and a two-step weight generation method that considers both the degree of gradient deviation in direction and training data size. This mechanism can achieve robustness for both IID and non-IID data without compromising privacy. Our extensive evaluations for two typical poisoning attacks on different datasets show that PEAR is robust and effective in IID and non-IID data and outperforms existing mainstream Byzantine-robust algorithms, especially achieving 16.4% to 53.2% testing error rate reduction in non-IID settings with significant label distribution and quantity skew while maintaining the same efficiency as FedAvg.<\/jats:p>","DOI":"10.1093\/comjnl\/bxae086","type":"journal-article","created":{"date-parts":[[2024,8,28]],"date-time":"2024-08-28T09:32:27Z","timestamp":1724837547000},"page":"1087-1104","source":"Crossref","is-referenced-by-count":5,"title":["PEAR: privacy-preserving and effective aggregation for byzantine-robust federated learning in real-world scenarios"],"prefix":"10.1093","volume":"68","author":[{"given":"Han","family":"Sun","sequence":"first","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences , 19 Shucun Road, Haidian District, Beijing 100085 ,","place":["China"]},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , No. 19 Yuquan Road, Beijing 100049 ,","place":["China"]},{"name":"School of Integrated Circuits, Tsinghua University , Beijing ,","place":["China"]},{"name":"Beijing National Research Center for Information Science and Technology , Beijing ,","place":["China"]}]},{"given":"Yan","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences , 19 Shucun Road, Haidian District, Beijing 100085 ,","place":["China"]},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , No. 19 Yuquan Road, Beijing 100049 ,","place":["China"]}]},{"given":"Huiping","family":"Zhuang","sequence":"additional","affiliation":[{"name":"Shien-Ming Wu School of Intelligent Engineering, South China University of Technology , 777 Xingye Avenue East, Panyu District, Guangzhou City 511442 ,","place":["China"]}]},{"given":"Jiatong","family":"Li","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences , 19 Shucun Road, Haidian District, Beijing 100085 ,","place":["China"]},{"name":"School of Cyber Security, University of Chinese Academy of Sciences , No. 19 Yuquan Road, Beijing 100049 ,","place":["China"]}]},{"given":"Zhen","family":"Xu","sequence":"additional","affiliation":[{"name":"Institute of Information Engineering, Chinese Academy of Sciences , 19 Shucun Road, Haidian District, Beijing 100085 ,","place":["China"]}]},{"given":"Liji","family":"Wu","sequence":"additional","affiliation":[{"name":"School of Integrated Circuits, Tsinghua University , Beijing ,","place":["China"]},{"name":"Beijing National Research Center for Information Science and Technology , Beijing ,","place":["China"]}]}],"member":"286","published-online":{"date-parts":[[2025,2,10]]},"reference":[{"key":"2025092201572163200_ref1","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3298981","article-title":"Federated machine learning: Concept and applications","volume":"10","author":"Yang","year":"2019","journal-title":"ACM Trans Intell Syst Technol"},{"key":"2025092201572163200_ref2","first-page":"1273","article-title":"Communication-efficient learning of deep networks from decentralized data","volume-title":"Proceedings of the 20th International Conference on Artificial Intelligence and Statistics, AISTATS 2017., Fort Lauderdale, FL, USA, 20\u201322 April 2017","author":"McMahan","year":"2017"},{"key":"2025092201572163200_ref3","first-page":"175","article-title":"Iotfla: A secured and privacy-preserving smart home architecture implementing federated learning","volume-title":"2019 IEEE Security and Privacy Workshops, SP Workshops 2019., San Francisco, CA, USA, May 19\u201323, 2019","author":"A\u00efvodji","year":"2019"},{"key":"2025092201572163200_ref4","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3412357","article-title":"Federated learning in a medical context: a systematic literature review","volume":"21","author":"Pfitzner","year":"2021","journal-title":"ACM Trans Internet Technol"},{"key":"2025092201572163200_ref5","doi-asserted-by":"publisher","first-page":"7751","DOI":"10.1109\/JIOT.2020.2991401","article-title":"Privacy-preserving traffic flow prediction: a federated learning approach","volume":"7","author":"Liu","year":"2020","journal-title":"IEEE Internet Things J"},{"key":"2025092201572163200_ref6","first-page":"14747","article-title":"Deep leakage from gradients","volume-title":"Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019., Vancouver, BC, Canada, December 8\u201314, 2019","author":"Zhu","year":"2019"},{"key":"2025092201572163200_ref7","first-page":"691","article-title":"Exploiting unintended feature leakage in collaborative learning","volume-title":"2019 IEEE Symposium on Security and Privacy, SP 2019., San Francisco, CA, USA, May 19\u201323, 2019","author":"Melis","year":"2019"},{"key":"2025092201572163200_ref8","first-page":"603","article-title":"Deep models under the Gan: information leakage from collaborative deep learning","volume-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017., Dallas, TX, USA, October 30\u2013November 03, 2017","author":"Hitaj","year":"2017"},{"key":"2025092201572163200_ref9","first-page":"1175","article-title":"Practical secure aggregation for privacy-preserving machine learning","volume-title":"Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017., Dallas, TX, USA, October 30\u2013November 03, 2017","author":"Bonawitz","year":"2017"},{"key":"2025092201572163200_ref10","first-page":"1","article-title":"A hybrid approach to privacy-preserving federated learning","volume-title":"Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2019., London, UK, November 15, 2019","author":"Truex","year":"2019"},{"key":"2025092201572163200_ref11","first-page":"493","article-title":"Batchcrypt: Efficient homomorphic encryption for cross-silo federated learning","volume-title":"2020 USENIX Annual Technical Conference, USENIX ATC 2020., July 15\u201317, 2020","author":"Zhang","year":"2020"},{"key":"2025092201572163200_ref12","doi-asserted-by":"crossref","first-page":"911","DOI":"10.1109\/TIFS.2019.2929409","article-title":"Verifynet: secure and verifiable federated learning","volume":"15","author":"Xu","year":"2019","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"2025092201572163200_ref13","first-page":"1","article-title":"A privacy-preserving and verifiable federated learning scheme","volume-title":"2020 IEEE International Conference on Communications, ICC 2020., Dublin, Ireland, June 7\u201311, 2020","author":"Zhang","year":"2020"},{"key":"2025092201572163200_ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3335772.3335936","volume-title":"The Byzantine generals problem. In: Concurrency: The Works of Leslie Lamport","author":"Lamport","year":"2019"},{"key":"2025092201572163200_ref15","first-page":"16","article-title":"Exploiting machine learning to subvert your spam filter","volume-title":"First USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET \u201808., San Francisco, CA, USA, April 15, 2008","author":"Nelson","year":"2008"},{"key":"2025092201572163200_ref16","article-title":"Poisoning attacks against support vector machines","volume-title":"Proceedings of the 29th International Conference on Machine Learning, ICML 2012., Edinburgh, Scotland, UK, June 26\u2013July 1, 2012","author":"Biggio","year":"2012"},{"key":"2025092201572163200_ref17","first-page":"1605","article-title":"Local model poisoning attacks to byzantine-robust federated learning","volume-title":"29th USENIX Security Symposium, USENIX Security 2020., August 12\u201314, 2020","author":"Fang","year":"2020"},{"key":"2025092201572163200_ref18","first-page":"634","article-title":"Analyzing federated learning through an adversarial lens","volume-title":"Proceedings of the 36th International Conference on Machine Learning, ICML 2019., Long Beach, CA, USA, 9\u201315 June 2019","author":"Bhagoji","year":"2019"},{"key":"2025092201572163200_ref19","first-page":"2938","article-title":"How to backdoor federated learning","volume-title":"The 23rd International Conference on Artificial Intelligence and Statistics, AISTATS 2020, Palermo, Sicily, Italy, 26\u201328 August 2020","author":"Bagdasaryan","year":"2020"},{"key":"2025092201572163200_ref20","article-title":"Dba: Distributed backdoor attacks against federated learning","volume-title":"8th International Conference on Learning Representations, ICLR 2020., Addis Ababa, Ethiopia, April 26\u201330, 2020","author":"Xie","year":"2020"},{"key":"2025092201572163200_ref21","first-page":"119","article-title":"Machine learning with adversaries: Byzantine tolerant gradient descent","volume-title":"Advances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, Long Beach, CA, USA, December 4\u20139, 2017","author":"Blanchard","year":"2017"},{"key":"2025092201572163200_ref22","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3154503","article-title":"Distributed statistical machine learning in adversarial settings: Byzantine gradient descent","volume":"1","author":"Chen","year":"2017","journal-title":"Proc ACM Meas Anal Comput Syst"},{"key":"2025092201572163200_ref23","first-page":"5636","article-title":"Byzantine-robust distributed learning: towards optimal statistical rates","volume-title":"Proceedings of the 35th International Conference on Machine Learning, ICML 2018, Stockholmsm\u00e4ssan, Stockholm, Sweden, July 10\u201315, 2018","author":"Yin","year":"2018"},{"key":"2025092201572163200_ref24","first-page":"3518","article-title":"The hidden vulnerability of distributed learning in byzantium","volume-title":"Proceedings of the 35th International Conference on Machine Learning, ICML 2018., Stockholmsm\u00e4ssan, Stockholm, Sweden, July 10\u201315, 2018","author":"Mhamdi","year":"2018"},{"key":"2025092201572163200_ref25","article-title":"Mitigating sybils in federated learning poisoning","author":"Fung"},{"key":"2025092201572163200_ref26","first-page":"1544","article-title":"Rsa: Byzantine-robust stochastic aggregation methods for distributed learning from heterogeneous datasets","volume-title":"The Thirty-Third AAAI Conference on Artificial Intelligence, AAAI 2019, The Thirty-First Innovative Applications of Artificial Intelligence Conference, IAAI 2019, The Ninth AAAI Symposium on Educational Advances in Artificial Intelligence, EAAI 2019., Honolulu, Hawaii, USA, January 27\u2013February 1, 2019","author":"Li","year":"2019"},{"key":"2025092201572163200_ref27","first-page":"4618","article-title":"Byzantine stochastic gradient descent","volume-title":"Advances in Neural Information Processing Systems 31: Annual Conference on Neural Information Processing Systems 2018, NeurIPS 2018., Montr\u00e9al, Canada, December 3\u20138, 2018","author":"Alistarh","year":"2018"},{"key":"2025092201572163200_ref28","first-page":"43","article-title":"Adversarial machine learning","volume-title":"Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, AISec 2011, Chicago, IL, USA, October, 21, 2011","author":"Huang","year":"2011"},{"key":"2025092201572163200_ref29","doi-asserted-by":"publisher","first-page":"2848","DOI":"10.1109\/TIFS.2022.3196274","article-title":"Privacy-preserving byzantine-robust federated learning via blockchain systems","volume":"17","author":"Miao","year":"2022","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"2025092201572163200_ref30","doi-asserted-by":"publisher","first-page":"4574","DOI":"10.1109\/TIFS.2021.3108434","article-title":"Privacy-enhanced federated learning against poisoning adversaries","volume":"16","author":"Liu","year":"2021","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"2025092201572163200_ref31","doi-asserted-by":"publisher","first-page":"1639","DOI":"10.1109\/TIFS.2022.3169918","article-title":"Shieldfl: Mitigating model poisoning attacks in privacy-preserving federated learning","volume":"17","author":"Ma","year":"2022","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"2025092201572163200_ref32","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2021.24434","article-title":"Fltrust: Byzantine-robust federated learning via trust bootstrapping","volume-title":"28th Annual Network and Distributed System Security Symposium, NDSS 2021., February21-25, 2021","author":"Cao","year":"2021"},{"key":"2025092201572163200_ref33","first-page":"409","article-title":"Homomorphic encryption for arithmetic of approximate numbers","volume-title":"Advances in cryptology - ASIACRYPT 2017 - 23rd international conference on the theory and applications of cryptology and information security., Hong Kong, China, December 3-7, 2017, proceedings, part I","author":"Cheon","year":"2017"},{"key":"2025092201572163200_ref34","first-page":"965","article-title":"Federated learning on non-iid data silos: An experimental study","volume-title":"38th IEEE International Conference on Data Engineering, ICDE 2022, Kuala Lumpur, Malaysia, May 9\u201312, 2022","author":"Li","year":"2022"},{"key":"2025092201572163200_ref35","first-page":"508","article-title":"Auror: Defending against poisoning attacks in collaborative deep learning systems","volume-title":"Proceedings of the 32nd Annual Conference on Computer Security Applications, ACSAC 2016, Los Angeles, CA, USA, December 5\u20139, 2016","author":"Shen","year":"2016"},{"key":"2025092201572163200_ref36"},{"key":"2025092201572163200_ref37","article-title":"Federated learning: Strategies for improving communication efficiency","author":"Kone\u010dny"},{"key":"2025092201572163200_ref38","first-page":"6","article-title":"MNIST handwritten digit database","author":"LeCun","year":"2010"},{"key":"2025092201572163200_ref39","article-title":"Fashion-mnist: a novel image dataset for benchmarking machine learning algorithms","author":"Xiao"},{"key":"2025092201572163200_ref40","article-title":"Learning multiple layers of features from tiny images","volume":"1","author":"Krizhevsky","year":"2009","journal-title":"Handbook of Systemic Autoimmune Diseases"},{"key":"2025092201572163200_ref41","first-page":"770","article-title":"Deep residual learning for image recognition","volume-title":"2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016., Las Vegas, NV, USA, June 27\u201330, 2016","author":"He","year":"2016"},{"key":"2025092201572163200_ref42","first-page":"223","article-title":"Public-key cryptosystems based on composite degree residuosity classes","volume-title":"Advances in cryptology - EUROCRYPT \u201899, international conference on the theory and application of cryptographic techniques, Prague, Czech Republic, May 2-6, 1999","author":"Paillier","year":"1999"},{"key":"2025092201572163200_ref43","first-page":"119","article-title":"A generalisation, a simplification and some applications of paillier\u2019s probabilistic public-key system","volume-title":"Public Key Cryptography, 4th International Workshop on Practice and Theory in Public Key Cryptography, PKC 2001, Cheju Island, Korea, February 13\u201315, 2001","author":"Damg\u00e5rd","year":"2001"}],"container-title":["The Computer Journal"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/68\/9\/1087\/61819071\/bxae086.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/comjnl\/article-pdf\/68\/9\/1087\/61819071\/bxae086.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,22]],"date-time":"2025-09-22T05:57:40Z","timestamp":1758520660000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/comjnl\/article\/68\/9\/1087\/8006389"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,10]]},"references-count":43,"journal-issue":{"issue":"9","published-online":{"date-parts":[[2025,2,10]]},"published-print":{"date-parts":[[2025,9,21]]}},"URL":"https:\/\/doi.org\/10.1093\/comjnl\/bxae086","relation":{},"ISSN":["0010-4620","1460-2067"],"issn-type":[{"value":"0010-4620","type":"print"},{"value":"1460-2067","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025,9]]},"published":{"date-parts":[[2025,2,10]]}}}